diff --git a/README.md b/README.md index 9a7f903..ae75067 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,5 @@ # Standalone payload.elf loader -This is a payload that should be run with [MochaLite](https://github.com/wiiu-env/MochaLite) before the System Menu. +This is .rpx is meant to run in a envrionment with sd and codegen (jit) access. It's exploits the Cafe OS and maps 8 MiB of usable memory from 0x30000000...0x30800000 (physical address) to 0x00800000... 0x01000000 (virtual address) where a payload will be loaded. You may need to hook into the kernel and patch out some thing to gain persistent access to this area. The loaded `hook_payload.elf` needs to be mapped to this memory area. diff --git a/source/gx2sploit.cpp b/source/gx2sploit.cpp index 85c535e..6464098 100644 --- a/source/gx2sploit.cpp +++ b/source/gx2sploit.cpp @@ -242,7 +242,6 @@ int DoKernelExploit(void) { OSThread *thread = (OSThread*)memalign(8, 0x1000); uint8_t *stack = (uint8_t*)memalign(0x40, 0x2000); - OSSwitchSecCodeGenMode(0); memcpy((void*)0x1800000, (void*)&SCKernelCopyData, 0x100); @@ -262,7 +261,6 @@ int DoKernelExploit(void) { OSSwitchSecCodeGenMode(1); - if (OSCreateThread(thread, (OSThreadEntryPointFn)exploitThread, 0, NULL, stack + 0x2000, 0x2000, 0, 0x1) == 0) { OSFatal("Failed to create thread"); } @@ -278,7 +276,6 @@ int DoKernelExploit(void) { uint32_t targetAddress = 0x017FF000; KernelWrite((uint32_t) backupBuffer, (void*) 0x017FF000, 0x40); - targetBuffer[0] = 0x7c7082a6; // mfspr r3, 528 targetBuffer[1] = 0x60630003; // ori r3, r3, 0x03 targetBuffer[2] = 0x7c7083a6; // mtspr 528, r3 @@ -304,8 +301,6 @@ int DoKernelExploit(void) { /* run our kernel code :) */ SC_0x36_SETBATS(); - WHBLogPrintf("repair data"); - /* repair data */ KernelWrite(targetAddress, backupBuffer, sizeof(backupBuffer)); DCFlushRange((void*)targetAddress, sizeof(backupBuffer));